We discuss how to design mechanically an information processing system presented with two independent requirements, one of which shows information flow to perform some process and one which prohibits illegal information flow. To do this, we introduce one well-known security model the "Bell and LaPadula model" and formulate this design problem. This problem then becomes a security level assignment problem. We show that the design possibilities and level assignment can be mechanically solved by expressing the inequalities in graph theoretical form and by using an analytical method of graph theory.

The performance of an enciphered B+-tree can be improved by the selective encryption of the components of the nodes in the tree. This paper suggests an approach to the selective encryption of nodes in a B+-tree and a method to substitute the plaintext search keys in order to increase the security of the tree. The method is based on structures in combinatorial block designs, and it allows for faster traversal of the tree, hence improving the overall speed of query responses. It also represents a trade-off between security and performance in that the substitution method affords less security compared to encryption. However, assuming the use of a secure cryptosystem with parameters which are kept secret, the encrypted state of the data pointers and data blocks still prevents an intruder from accessing the stored data. The method based on block designs has the advantage of requiring only a small amount of information being kept secret. This presents a considerable savings in terms of space used to hold security-related information.

The security problems of object-oriented database system are investigated and security level assignment constraints and an access control mechanism based on the multilevel access control security policy are proposed. The proposed mechanism uses the Trusted Computing Base. A unique feature of the mechanism is that security levels are assigned not only to data items (objects), but also to methods and methods are not shown to the users whose security level is lower than that of the methods. And we distinguish between the security level of a variable in a class and that in an instance and distinguish between the level of an object when it is taken by itself and it is taken as a variable or an element of another complex object. All of this realizes the policy of multilevel access control.